Security Basics mailing list archives
Re[4]: suggestions on a good firewall
From: Malte von dem Hagen <DocValde () gmx de>
Date: Fri, 23 May 2003 15:40:05 +0200
Hallo Jeff, am Mittwoch, 21. Mai 2003 um 19:45:44 schrieben Sie:
Hallo Jeff, am Dienstag, 20. Mai 2003 um 18:35:30 schrieben Sie: First of all, a firewall is a concept and not a machine, so one has to chose a concept for it. You cannot compare a Cisco Router with Firewall
I did not say Cisco Router with Firewall i said Cisco and ment the PIX line
Even the PIX as a stateful inspection firewall isn't comparable to an Application Level Gateway as the Raptor is. They are serving different needs.
Feature Set to a Raptor. If one needs a packet filter-like firewall component, i would always recommend OpenBSD - not Linux, not Cisco or anything else. Why? Because OpenBSD is one of the most secure Operating Systems, and that's one of the most important points when chossing a firewall component. You need a secure and stable platform. The BSD Unices (all of them) are such a platform - more secure and more stable than Linux, even than Cisco IOS.
I would disagree with the assumption the BSD is more secure that Cisco IOS I would be interested in any facts you might have on the subject tho?
Well, first of all, BSD is OpenSource, Cisco IOS isn't. Open Source per se is more secure than closed source because it delivers powerful tools for code quality as peer review, for example. Second, take a look at the security mailing lists like Bugtraq: You'll find more remote vulnerabilities for Cisco IOS than for OpenBSD. IMHO, that indicates a higher code quality regarding security issues.
Everyone with rudimental knowledge in Unix-based systems can set up and maintain such a system, when he or she is willing to read and learn a bit. It is not as difficult as it may seem...true the *ixes are not hard at all to learn and maintain
They are, if you are unexperienced and want to have a complete and comfortable desktop system. BUt we talk about firewalling services, and these don't involve too much parts of the system. It's just the ruleset, logging and a little bit of system hardening. But we agree in this point. :-)
Only exception: A medium to large network withsingle-vendor-Cisco-strategy.In that scenario, it may be useful to choose a PIX, for management reasons.true there are some great tools for line PIX firewalls line
I had the Cisco Secure Policy Manager in mind. If you manage a bunch of routers and switches with it, it will be a lot easier to integrate one further system like a PIX in this concept than to set up a totally new and different one like an BSD Firewall. I don't stand here and state the Cisco PIX Firewalls as "insecure". I only trust BSD a bit more and favour Open Source. Furthermore, I think BSD Firewalls are manageable quite comfortable. Anyone with basic Unix knowledge doesn't has to learn a lot new stuff, and can use the new knowledge and abilities in other fields of Unix. BSDs can be extremely powerful systems, especially when you take a look at the new possibilities in FreeBSD 5.0 (jailing, file ACLs...). Regards, Malte. -- Malte von dem Hagen DocValde () gmx de http://www.docvalde.net/ --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- RE: suggestions on a good firewall, (continued)
- RE: suggestions on a good firewall Michael J. Panchula (May 16)
- RE: suggestions on a good firewall Mike Moore (May 16)
- RE: suggestions on a good firewall Dan DeVoe (May 17)
- RE: suggestions on a good firewall Tom Sevy (May 17)
- RE: suggestions on a good firewall kerberus (May 19)
- Re: suggestions on a good firewall Ing Bernardo Lopez (May 20)
- RE: suggestions on a good firewall Mark Ng (May 20)
- Re: suggestions on a good firewall Jeff (May 21)
- Re[2]: suggestions on a good firewall Malte von dem Hagen (May 21)
- Re: Re[2]: suggestions on a good firewall Jeff (May 22)
- Re[4]: suggestions on a good firewall Malte von dem Hagen (May 23)
- RE: suggestions on a good firewall kerberus (May 19)
- RE: suggestions on a good firewall dschaible (May 23)
- Re: suggestions on a good firewall Jeff (May 23)
- RE: suggestions on a good firewall Jason Dixon (May 26)
- RE: suggestions on a good firewall Mark (fat) (May 21)
- RE: suggestions on a good firewall Daniel B. Cid (May 22)
- RE: suggestions on a good firewall silvia ghezzi (May 22)
- RE: suggestions on a good firewall lassal (May 23)
- Re: suggestions on a good firewall Andreas Happe (May 22)
- RE: suggestions on a good firewall Daniel R. Miessler (May 21)
- RE: suggestions on a good firewall Jon Pastore (May 30)